Paranoid Penguin - Interview with Marcus Meissner

MB:
In the Linux world, we've seen less malware (viruses,
trojans and worms) than the Microsoft Windows world has been subject to. Why
is this, do you think?

MM: First, Microsoft Windows just has more installations,
and so it is a more valuable target; thus, it gets more research into
exploitability.

Second, Windows has quite a high integration level. You can do lots
of stuff from everything, and this was seen as good thing—easy embedding
of document/image viewing and so on. Although on the one hand, this is a good
thing, it also exposes a lot more code to the attackers.

Plus, the Windows software development community before the Internet
was not really programming with security in mind, and so there were
large holes.
The same goes for reviewing the code; it was hard without source for
externals.

It's something like a mix of all those things, I guess.

MB:
My own opinion for several years has been that Linux isn't
inherently more or less secure than Windows; their underlying security
models are very similar. What are your thoughts on this?

MM: UNIX/Linux has, for example, the advantage that we
separated (the concept of) the user from the administrator right from beginning,
which Windows still has problems with.

Due to less integration, or integration at different levels, Linux has
perhaps a better chance of resisting those attacks.

Linux also has less of a monoculture in programs and libraries, and it
is also more rapidly changing than perhaps on Windows.

MB:
What kind of potential do you see in mandatory access
control (MAC) systems, like AppArmor and SELinux, in improving Linux
security for the masses? To what extent do you think they're already
helping?

MM: It's difficult to say. I have no experience with SELinux,
but with AppArmor, I see a bit of acceptance issues in default settings,
and then it does not catch everything.

MB:
When SUSE incorporated Novell AppArmor into its general
releases, this caused a bit of controversy. It seemed like some people
involved with SELinux felt that this undermined their efforts. As a SUSE
employee, I assume you're pro AppArmor, but what do you think about the
controversy? Isn't it healthier for multiple MAC options to be available
to people?

MM: There surely was controversy, but most of it seems to
have died down now.

It is healthier to have more than one MAC system, especially in exploring
the MAC problem from different angles.

That AppArmor was much more usable than SELinux also has caused lots of
thinking and usability improvements in SELinux (think targeted policies,
booleans and so on), and the other way around. AppArmor now can contain more
things than in earlier times.
We currently see both as solutions that even could co-exist to some
degree.

Other new MAC approaches, like SMACK and so forth, also are appearing now.

MB:
So, are there any plans for SUSE to support SELinux,
as an alternative to AppArmor?

MM: I cannot say at this time, especially since partner
requirements are still open for future products.

Virtualization

MB:
When Linux virtualization first started to emerge into
the mainstream a few years ago, it seemed to me that the whole concept
of a hypervisor—an intelligence logically above the guest-OS kernel
that manages system resources and monitors VM behavior—has a lot of
security potential. Nowadays, I wonder whether I wasn't overly optimistic.
The additional layer of abstraction might introduce other attack
vectors. Your thoughts?

MM: Virtualization environments, unfortunately, were/are sold
as security solutions, but the breakout possibilities are only now being
investigated, and there likely was no formal containment design from
the ground up.

Several ways also have been found for almost all virtualization
technologies to break out of confinement.

So yes, I think its being used as security containers is overly
optimistic.

Embedded Linux

MB:
One of the most remarkable developments in Linux, it seems
to me, is its rapid inroads in the embedded systems market. All kinds
of consumer electronic devices are now Linux-powered. Does SUSE ever
show up in this space? Do the particular challenges and ramifications
of embedded operations figure into your team's work?

And, from a security perspective, how good of an idea is it to use a
general-purpose operating system like Linux (or Windows) for embedded
applications?

MM: We are not really showing in this space, even though
we are working to bring the enterprise desktop more into the thin-client
space. But, it's not the real embedded market.

What matters most for security in those devices is how they get updates
and what security processes are there from their vendors. If the vendor just
gives up support after six months for a device, but the device lives for
five years or longer, it's bad. You have lots of unpatched devices out there.